FlagThis

Abstract

As the world's largest software registry, NPM represents a massive attack surface for supply chain compromises. This research utilizes "canary packages" to fingerprint the scanning behaviors of cloud providers, security vendors, and nation-state actors. The findings reveal critical coverage gaps, such as a heavy reliance on static analysis over dynamic sandboxing, and highlight how different actors prioritize specific threats (e.g., credentials vs. document macros), leaving sophisticated multi-stage payloads undetected.